Hello community, here is the log from the commit of package grub2 for openSUSE:Factory checked in at 2019-07-08 15:01:22 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/grub2 (Old) and /work/SRC/openSUSE:Factory/.grub2.new.4615 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "grub2" Mon Jul 8 15:01:22 2019 rev:206 rq:713148 version:2.02 Changes: -------- --- /work/SRC/openSUSE:Factory/grub2/grub2.changes 2019-06-18 14:53:33.613509884 +0200 +++ /work/SRC/openSUSE:Factory/.grub2.new.4615/grub2.changes 2019-07-08 15:01:23.494567813 +0200 @@ -1,0 +2,14 @@ +Mon Jun 17 09:45:49 UTC 2019 - [email protected] + +- Use grub2-install to handle signed grub installation for UEFI secure + boot and also provide options to override default (bsc#1136601) + * grub2-secureboot-install-signed-grub.patch +- Remove arm64 linuxefi patches as it's not needed for secure boot + * 0001-efi-refactor-grub_efi_allocate_pages.patch + * 0002-Remove-grub_efi_allocate_pages.patch + * 0003-arm64-efi-move-EFI_PAGE-definitions-to-efi-memory.h.patch + * 0004-efi-Add-central-copy-of-grub_efi_find_mmap_size.patch + * 0005-efi-Add-grub_efi_get_ram_base-function-for-arm64.patch + * 0006-Add-support-for-EFI-handover-on-ARM64.patch + +------------------------------------------------------------------- Old: ---- 0001-efi-refactor-grub_efi_allocate_pages.patch 0002-Remove-grub_efi_allocate_pages.patch 0003-arm64-efi-move-EFI_PAGE-definitions-to-efi-memory.h.patch 0004-efi-Add-central-copy-of-grub_efi_find_mmap_size.patch 0005-efi-Add-grub_efi_get_ram_base-function-for-arm64.patch 0006-Add-support-for-EFI-handover-on-ARM64.patch New: ---- grub2-secureboot-install-signed-grub.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ grub2.spec ++++++ --- /var/tmp/diff_new_pack.RmfBvZ/_old 2019-07-08 15:01:31.866580470 +0200 +++ /var/tmp/diff_new_pack.RmfBvZ/_new 2019-07-08 15:01:31.870580477 +0200 @@ -305,12 +305,7 @@ Patch430: grub2-mkconfig-default-entry-correction.patch Patch431: grub2-s390x-10-keep-network-at-kexec.patch # Support for UEFI Secure Boot on AArch64 (FATE#326541) -Patch450: 0001-efi-refactor-grub_efi_allocate_pages.patch -Patch451: 0002-Remove-grub_efi_allocate_pages.patch -Patch452: 0003-arm64-efi-move-EFI_PAGE-definitions-to-efi-memory.h.patch -Patch453: 0004-efi-Add-central-copy-of-grub_efi_find_mmap_size.patch -Patch454: 0005-efi-Add-grub_efi_get_ram_base-function-for-arm64.patch -Patch455: 0006-Add-support-for-EFI-handover-on-ARM64.patch +Patch450: grub2-secureboot-install-signed-grub.patch # Use pkg-config to find Freetype2 Patch500: grub2-freetype-pkgconfig.patch Patch501: grub2-btrfs-help-on-snapper-rollback.patch @@ -618,11 +613,6 @@ %patch430 -p1 %patch431 -p1 %patch450 -p1 -%patch451 -p1 -%patch452 -p1 -%patch453 -p1 -%patch454 -p1 -%patch455 -p1 %patch500 -p1 %patch501 -p1 %patch510 -p1 @@ -747,7 +737,7 @@ PXE_MODULES="efinet tftp http" CRYPTO_MODULES="luks gcry_rijndael gcry_sha1 gcry_sha256" -%ifarch x86_64 aarch64 +%ifarch x86_64 CD_MODULES="${CD_MODULES} linuxefi" %else CD_MODULES="${CD_MODULES} linux" ++++++ grub2-secureboot-install-signed-grub.patch ++++++ >From 1ff2f31d12f7235423a1eb8a117e0c6f8b2f41c7 Mon Sep 17 00:00:00 2001 From: Michael Chang <[email protected]> Date: Tue, 4 Jun 2019 12:32:35 +0800 Subject: [PATCH] grub-install: handle signed grub installation on arm64-efi Use grub2-install to handle signed grub installation for arm64 UEFI secure boot, the default behavior is auto, which will install signed grub whenever detected. Two options, --suse-force-signed and --suse-inhibit-signed, can be used to override the default auto detecting behavior. The former will force to use prebuilt signed image and thus will fail if missing, the latter will always use 'mkimage' to create unsigned core image per the user's running environment. Signed-off-by: Michael Chang <[email protected]> --- util/grub-install.c | 86 ++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 85 insertions(+), 1 deletion(-) Index: grub-2.02/util/grub-install.c =================================================================== --- grub-2.02.orig/util/grub-install.c +++ grub-2.02/util/grub-install.c @@ -84,6 +84,15 @@ static int suse_enable_tpm = 0; enum { + SIGNED_GRUB_INHIBIT, + SIGNED_GRUB_AUTO, + SIGNED_GRUB_FORCE + }; + +static int signed_grub_mode = SIGNED_GRUB_AUTO; + +enum + { OPTION_BOOT_DIRECTORY = 0x301, OPTION_ROOT_DIRECTORY, OPTION_TARGET, @@ -108,6 +117,8 @@ enum OPTION_NO_BOOTSECTOR, OPTION_NO_RS_CODES, OPTION_SUSE_ENABLE_TPM, + OPTION_SUSE_FORCE_SIGNED, + OPTION_SUSE_INHIBIT_SIGNED, OPTION_MACPPC_DIRECTORY, OPTION_ZIPL_DIRECTORY, OPTION_LABEL_FONT, @@ -237,6 +248,14 @@ argp_parser (int key, char *arg, struct suse_enable_tpm = 1; return 0; + case OPTION_SUSE_FORCE_SIGNED: + signed_grub_mode = SIGNED_GRUB_FORCE; + return 0; + + case OPTION_SUSE_INHIBIT_SIGNED: + signed_grub_mode = SIGNED_GRUB_INHIBIT; + return 0; + case OPTION_DEBUG: verbosity++; return 0; @@ -299,7 +318,12 @@ static struct argp_option options[] = { N_("Do not apply any reed-solomon codes when embedding core.img. " "This option is only available on x86 BIOS targets."), 0}, {"suse-enable-tpm", OPTION_SUSE_ENABLE_TPM, 0, 0, N_("install TPM modules"), 0}, - + {"suse-force-signed", OPTION_SUSE_FORCE_SIGNED, 0, 0, + N_("force installation of signed grub" "%s." + "This option is only available on ARM64 EFI targets."), 0}, + {"suse-inhibit-signed", OPTION_SUSE_INHIBIT_SIGNED, 0, 0, + N_("inhibit installation of signed grub. " + "This option is only available on ARM64 EFI targets."), 0}, {"debug", OPTION_DEBUG, 0, OPTION_HIDDEN, 0, 2}, {"no-floppy", OPTION_NO_FLOPPY, 0, OPTION_HIDDEN, 0, 2}, {"debug-image", OPTION_DEBUG_IMAGE, N_("STRING"), OPTION_HIDDEN, 0, 2}, @@ -364,6 +388,22 @@ help_filter (int key, const char *text, free (plats); return ret; } + case OPTION_SUSE_FORCE_SIGNED: + { + const char *t = get_default_platform (); + char *ret; + if (grub_strcmp (t, "arm64-efi") == 0) + { + char *s = grub_util_path_concat (3, grub_util_get_pkglibdir (), t, "grub.efi"); + char *text2 = xasprintf (" [default=%s]", s); + ret = xasprintf (text, text2); + free (text2); + free (s); + } + else + ret = xasprintf (text, ""); + return ret; + } case ARGP_KEY_HELP_POST_DOC: return xasprintf (text, program_name, GRUB_BOOT_DIR_NAME "/" GRUB_DIR_NAME); default: @@ -1596,13 +1636,34 @@ main (int argc, char *argv[]) char mkimage_target[200]; const char *core_name = NULL; + char *signed_imgfile = NULL; switch (platform) { - case GRUB_INSTALL_PLATFORM_I386_EFI: + case GRUB_INSTALL_PLATFORM_ARM64_EFI: + + if (signed_grub_mode > SIGNED_GRUB_INHIBIT) + { + signed_imgfile = grub_util_path_concat (2, grub_install_source_directory, "grub.efi"); + if (!grub_util_is_regular (signed_imgfile)) + { + if (signed_grub_mode >= SIGNED_GRUB_FORCE) + grub_util_error ("signed image `%s' does not exist\n", signed_imgfile); + else + { + free (signed_imgfile); + signed_imgfile = NULL; + } + } + } + + if (signed_imgfile) + fprintf (stderr, _("Use signed file in %s for installation.\n"), signed_imgfile); + + /* fallthrough. */ case GRUB_INSTALL_PLATFORM_X86_64_EFI: + case GRUB_INSTALL_PLATFORM_I386_EFI: case GRUB_INSTALL_PLATFORM_ARM_EFI: - case GRUB_INSTALL_PLATFORM_ARM64_EFI: case GRUB_INSTALL_PLATFORM_IA64_EFI: core_name = "core.efi"; snprintf (mkimage_target, sizeof (mkimage_target), @@ -1678,13 +1739,75 @@ main (int argc, char *argv[]) core_name); char *prefix = xasprintf ("%s%s", prefix_drive ? : "", relative_grubdir); - if (core_name != mkimage_target) + char *grub_efi_cfg = NULL; + + if ((core_name != mkimage_target) && !signed_imgfile) grub_install_make_image_wrap (/* source dir */ grub_install_source_directory, /*prefix */ prefix, /* output */ imgfile, /* memdisk */ NULL, have_load_cfg ? load_cfg : NULL, /* image target */ mkimage_target, 0); + else if (signed_imgfile) + { + FILE *grub_cfg_f; + + grub_install_copy_file (signed_imgfile, imgfile, 1); + grub_efi_cfg = grub_util_path_concat (2, platdir, "grub.cfg"); + grub_cfg_f = grub_util_fopen (grub_efi_cfg, "wb"); + if (!grub_cfg_f) + grub_util_error (_("Can't create file: %s"), strerror (errno)); + + if (have_abstractions) + { + fprintf (grub_cfg_f, "set prefix=(%s)%s\n", grub_drives[0], relative_grubdir); + fprintf (grub_cfg_f, "set root=%s\n", grub_drives[0]); + } + else if (prefix_drive) + { + char *uuid = NULL; + if (grub_fs->uuid && grub_fs->uuid (grub_dev, &uuid)) + { + grub_print_error (); + grub_errno = 0; + uuid = NULL; + } + if (!uuid) + grub_util_error ("cannot find fs uuid for %s", grub_fs->name); + + fprintf (grub_cfg_f, "search --fs-uuid --set=root %s\n", uuid); + fprintf (grub_cfg_f, "set prefix=($root)%s\n", relative_grubdir); + } + + if (have_load_cfg) + { + size_t len; + char *buf; + + FILE *fp = grub_util_fopen (load_cfg, "rb"); + if (!fp) + grub_util_error (_("Can't read file: %s"), strerror (errno)); + + fseek (fp, 0, SEEK_END); + len = ftell (fp); + fseek (fp, 0, SEEK_SET); + buf = xmalloc (len); + + if (fread (buf, 1, len, fp) != len) + grub_util_error (_("cannot read `%s': %s"), load_cfg, strerror (errno)); + + if (fwrite (buf, 1, len, grub_cfg_f) != len) + grub_util_error (_("cannot write `%s': %s"), grub_efi_cfg, strerror (errno)); + + free (buf); + fclose (fp); + } + + fprintf (grub_cfg_f, "source ${prefix}/grub.cfg\n"); + fclose (grub_cfg_f); + free (signed_imgfile); + signed_imgfile = NULL; + } /* Backward-compatibility kludges. */ switch (platform) { @@ -1950,6 +2073,13 @@ main (int argc, char *argv[]) char *dst = grub_util_path_concat (2, efidir, efi_file); grub_install_copy_file (imgfile, dst, 1); free (dst); + if (grub_efi_cfg) + { + dst = grub_util_path_concat (2, efidir, "grub.cfg"); + grub_install_copy_file (grub_efi_cfg, dst, 1); + free (dst); + free (grub_efi_cfg); + } } if (!removable && update_nvram) {
